Saturday, 27 June 2015

install and configure tacacs/freeradius in centos


1) Get the TAC rpm on google based your linux architecture and install
[root@www ~]#rpm -ivh tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm
warning: tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm: Header V4 RSA/SHA1 Signature, k                                                            ey ID 85c6cd8a: NOKEY
Preparing...                ########################################### [100%]
        package tac_plus-4.0.4.26-1.el6.nux.x86_64 is already installed


2) Edit config file

[root@www ~]# vi /etc/tac_plus.conf
key = "MYKEY"
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd

acl = default   {
                #permit = 192\.168\.0\.
                permit = 10\.255\.160\.7     <<<<< this is the IP I was to allow
}

# Example of host-specific configuration:
host = 10.255.160.7 {
        prompt = "Enter your Unix username and password, Username: "
        # Enable password for the router, generate a new one with tac_pwd
        enable = des xb5MO66xiT93Q  <<<< des + password generated with tac_pwd
}

# Group that is allowed to do most configuration on all interfaces etc.
group = sysadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd:
        #login = file /etc/passwd
        # or authenticated via PAM:
        login = PAM
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        }
        cmd =  switchport  {
                permit "access vlan.*"
                permit "trunk encapsulation.*"
                permit "mode.*"
                permit "trunk allowed vlan.*"
        }
        cmd = description {
                permit .*
        }

        cmd = no {
                permit shutdown
        }

}

user = joe {
        login = cleartext MYpassword  <<<< to put pwd in cleartext in config use "cleartext"
        #member = sysadmin
        member = admin
}

user = testuser {
        default service = permit
        login = PAM
        member = admin
}

user = fred {
        login = PAM
        member = sysadmin
}

# User account configured for use with "rancid"
user = rancid {
        # Generate a new password with tac_pwd
        #login = des LXUxLCkFhGpwA

        service = exec {
                priv-lvl = 15
        }

        cmd = show { permit .* }
        cmd = exit { permit .* }
        cmd = dir { permit .* }
        cmd = write { permit term }
}

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
        login = des xb5MO66xiT93Q
}

#user = DEFAULT {
#       login = PAM
#member = default
#}

***** AX config ( A10 load balancer  config)
authorization commands 15 method tacplus
authentication type tacplus local
authentication console type tacplus local
authentication login privilege-mode
accounting exec start-stop tacplus
accounting commands 15 stop-only tacplus
tacacs-server host 10.255.161.55 secret secret-encrypted CtFNhJOqYs08EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn port 49 timeout 12


[root@www ~]# ssh joe@10.255.160.7
Password:
Last login: Sun Jun 21 03:11:07 2015 from 10.255.161.55

ACOS System is ready now.

[type ? for help]

AX02#
******************************** FREERADIUS *****************************
[root@www ~]# ls freeradius-*
freeradius-2.1.12-6.el6.x86_64.rpm
freeradius-mysql-2.1.12-6.el6.x86_64.rpm
freeradius-utils-2.1.12-6.el6.x86_64.rpm
[root@www ~]#

[root@www ~]# rpm -ivh freeradius-*
Preparing...                ########################################### [100%]
   1:freeradius             ########################################### [ 33%]
   2:freeradius-mysql       ########################################### [ 67%]
   3:freeradius-utils       ########################################### [100%]

[root@www ~]# service radiusd restart
Stopping radiusd:                                          [  OK  ]
Starting radiusd:                                          [  OK  ]

3) check whether ports are listening/open
[root@www ~]# netstat -nulp | grep radiu
udp        0      0 0.0.0.0:44946               0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1812                0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1813                0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1814                0.0.0.0:*                               19995/radiusd
udp        0      0 127.0.0.1:18120             0.0.0.0:*                               19995/radiusd

**** Adding user
[root@www ~]# vi /etc/raddb/users
#"John Doe"     Cleartext-Password := "hello"
siaka Cleartext-Password := "password"

**** testing server connectivity
[root@www ~]# radtest siaka password localhost 1812 testing123
Sending Access-Request of id 4 to 127.0.0.1 port 1812
        User-Name = "siaka"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=4, length=20 ( this is good sign)

**** adding client
[root@www ~]# vi /etc/raddb/clients.conf
client 10.255.160.7 {
        secret          = testing123
}

[root@www ~]# service radiusd restart
Stopping radiusd:                                          [  OK  ]
Starting radiusd:                                          [  OK  ]
[root@www ~]#


******* A10 box config
AX02(config)#radius-server host 10.255.161.55 secret testing123
AX02(config)#authentication type radius local
AX02(config)#accounting exec start-stop radius

******* test time
Last login: Sun Jun 21 20:50:23 2015 from 10.200.2.150

ACOS System is ready now.

[type ? for help]

AX02#


******* on A10 box
AX02#sh radius-server
Radius server              : 10.255.161.55
contact start              : 2
contact failed             : 0
authentication success     : 1
authentication failed      : 0
authorization success      : 1


****************************** other resources
https://networklessons.com/linux/how-to-install-tacacs-on-linux-centos/

No comments:

Post a Comment